An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: September 2012

On September 12, Reps. Markey (D-MA) and DeGette (D-CO) introduced the Mobile Device Privacy Act, H.R. 6377. If enacted, the bill would place obligations on the mobile phone industry to disclose the use of tracking software, and to obtain consumer consent before the software is downloaded onto a device.

In a press statement introducing the legislation, Rep. Markey – who is co-Chair of the Bipartisan Congressional Privacy Caucus – stated that "Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information. This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to transmission." Opponents of the legislation, such as the Software & Information Industry Association, have argued that it "would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism."

The Markey bill would create new regulatory authority for the Federal Trade Commission to oversee aspects of the mobile industry. The bill would require the FTC, in consultation with the FCC, to issue rules requiring mobile device manufacturers, service providers, mobile operating system developers, and app developers to make disclosures to users about "monitoring software" installed on a mobile device. Monitoring software is broadly defined to include all software that "has the capability to monitor the usage" of the device, the user’s geolocation, and to transmit this information elsewhere. In the same vein, the bill also envisages FTC rules requiring device sellers and app developers to obtain a user’s "express consent" before monitoring or transmitting any information collected. The bill also envisages that all entities in receipt of monitoring data (i.e. first and third parties) implement information security policies and practices spanning data collection, retention, and disposal.

Enforcement authority under the bill goes primarily to the FTC, with secondary authority being given to the FCC and the states. The bill does not exclude private enforcement actions by individuals. Statutory damages for these breaches would vary between $1,000 per unintentional violation, and $3,000 per intentional violation.

The bill will not likely receive further attention from this Congress, which went into recess over the weekend pending the November elections.

On September 19, Sen. Jay Rockefeller (D-WV) sent letters to the CEOs at every Fortune 500 company seeking informtion on their companies’ cybersecurity practices and their concerns with respect to government involvement in protecting critical cyber infrastructure. Stating that he was "profoundly disappointed" in the Senate’s inability to pass comprehensive cybersecurity legislation in August, Sen. Rockefeller is urging President Obama to address cybersecurity issues through an Executive Order and is asking the CEOs for their views on cybersecurity, which he intends to use in support of future legislation.

Sen. Rockefeller asked the CEOs to respond by October 19, 2012 to the following eight questions:

– Has your company adopted a set of best practices to address its cybersecurity needs?

– If so, how were these cybersecurity practices developed?

– Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.

– When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?

– Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?

– What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?

– What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?

– What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

The Democratic and Republican Parties unveiled their respective policy platforms at their national conventions this past month. Both platforms address a host of issues related to internet freedoms and security, and differ greatly in some ways and little in others. The starkest contrast lies in the parties’ plans for protecting consumer privacy. However, in other areas such as cybersecurity, the differences seem more imagined than real.

Both party platforms prioritize the civil-liberties aspect of internet freedom but have different prescriptions for achieving achieving it. The Democratic platform envisions information privacy as freedom from private intrusion and public censorship, “protecting an open Internet that fosters investment, innovation, creativity, consumer choice, and free speech, unfettered by censorship or undue violations of privacy.” It later touts the implementation of consumer privacy initiatives taken by the White House as a step in this direction: “That’s why the administration launched the Internet Privacy Bill of Rights and encouraged innovative solutions such as a Do Not Track option for consumers.”

Earlier Secure Times coverage on the White House’s privacy approach and Privacy Bill of Rights is available here.

The Republican platform, on the other hand, specifically promises greater protection of personal data from use by government and law enforcement. In what may be a nod to the holding in United States v. Jones and the ongoing debate over location tracking, the RNC pledges to “ensure that personal data receives full constitutional protection from government overreach.”

The RNC platform goes on to add its support for protection from private actors, such that “individuals retain the right to control the use of their data by third parties.” However, it argues that “the only way to safeguard or improve these systems is through the private sector.”

Both platforms agree on the great importance of cybersecurity. However, the RNC criticizes the Administration for not being proactive enough in its efforts to neutralize new cyberthreats:

The current Administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol. The current deterrence framework is overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression. The U.S. cannot afford to risk the cyber-equivalent of Pearl Harbor.

The platform does not name any specific measures to dissuade rather than defend against cyberthreats, but it goes on to criticize the administration for not enabling enough information-sharing between public and private parties. Nonetheless, the Democratic platform mentions “strengthening private sector and international partnerships” as well.

Both parties roundly agree on the multi-stakeholder policymaking framework. Both statements seem to paraphrase each other. The RNC platform states:
We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other in- tergovernmental organizations.

The Secure Times provided earlier coverage of the Multistakeholder Process here.